HIPAA Enforcement Guide: When Violations Become Criminal vs. Civil, With Examples

Civil HIPAA Violations Overview

In HIPAA enforcement, most cases are civil. These arise when an organization fails to implement required safeguards for Protected Health Information (PHI) or commits an Unauthorized Disclosure through negligence rather than intentional misuse. Civil violations typically involve gaps in policies, training, or technical controls that undermine medical record privacy.

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services leads civil investigations. OCR resolves complaints and breach reports through HIPAA Enforcement Actions such as corrective action plans, monitoring, and, when warranted, civil monetary penalties. Key drivers include the nature and extent of the violation, number of individuals affected, harm caused, and how quickly the entity remedied the issue.

Criminal HIPAA Violations Overview

HIPAA becomes criminal when someone knowingly obtains, uses, or discloses PHI in violation of the law. Intent separates criminal from civil: actions taken under false pretenses or for personal gain, commercial advantage, or malicious harm move the conduct into criminal territory.

The Department of Justice (DOJ) prosecutes these cases. Penalties scale with intent: up to one year of imprisonment for basic knowing violations, up to five years for offenses under false pretenses, and up to ten years when the goal is profit or harm. Individuals—employees, contractors, business associates—are common defendants, though organizations can face liability as well.

Examples of Civil Violations

• Misdirected faxes or emails that reveal PHI to the wrong recipient due to inadequate verification procedures.
• Lost or stolen laptops containing unencrypted PHI where risk analysis and reasonable device safeguards were not in place.
• Failure to conduct an enterprise-wide risk analysis or to implement risk management plans under the Security Rule.
• Insufficient access controls or audit logging that allow workforce members to view more than the minimum necessary PHI.
• Not executing a Business Associate Agreement (BAA) before sharing PHI with a vendor.
• Delayed breach notifications—failing to notify individuals and HHS without unreasonable delay and within 60 days of discovery.
• Publishing patient names on public schedules or whiteboards visible to visitors beyond the minimum necessary standard.
• Inadequate workforce training leading to routine process errors that expose PHI.

Examples of Criminal Violations

• Stealing PHI to commit identity theft or financial fraud.
• Accessing a celebrity’s or acquaintance’s medical record out of curiosity and sharing it with others.
• Posing as a provider or staff member to obtain PHI under false pretenses.
• Selling or bartering patient lists to a marketing company without authorization.
• Retaining PHI after termination and using it to solicit patients to a competing practice.
• Diverting prescription information for personal gain or to cause harm.

Enforcement Agencies and Their Roles

Office for Civil Rights (OCR): OCR investigates complaints, reviews breach reports, and conducts compliance reviews. Outcomes range from technical assistance to resolution agreements with corrective action plans, independent monitoring, and civil monetary penalties. OCR also refers matters suggesting criminal intent to DOJ.

Department of Justice (DOJ): DOJ evaluates whether conduct meets HIPAA’s criminal standards and may charge related crimes (e.g., identity theft, wire fraud). U.S. Attorneys’ Offices coordinate with OCR and investigative partners to build cases and seek fines, restitution, and imprisonment.

State Attorneys General: Under the HITECH Act, state AGs may bring civil actions on behalf of residents for HIPAA violations, seeking injunctions and damages. They often work in parallel with OCR to drive remediation.

Other partners: The HHS Office of Inspector General may assist investigations, and regulators like the FTC handle privacy issues for entities not covered by HIPAA. Within HIPAA, however, OCR and DOJ remain the primary enforcers.

Penalty Structures for HIPAA Violations

The Four-Tiered Penalty System (Civil)

• Tier 1 — No knowledge: The entity did not know and, exercising reasonable diligence, would not have known of the violation. Fines start in the low hundreds per violation, subject to annual caps per violation type.
• Tier 2 — Reasonable cause: The violation was due to reasonable cause and not willful neglect. Fines increase substantially per violation.
• Tier 3 — Willful neglect (corrected): Willful neglect occurred but was corrected within the required time frame. Penalties are higher and may include monitoring via a corrective action plan.
• Tier 4 — Willful neglect (not corrected): The most serious civil tier, with the highest per-violation penalties and annual caps, often accompanied by stringent corrective obligations.

Civil penalties are assessed per violation, which can mean per individual record, per day, or per requirement violated, depending on the facts. Annual caps apply per violation type and are adjusted for inflation.

Criminal Penalties

• Knowing violations: Fines and up to 1 year of imprisonment.
• False pretenses: Higher fines and up to 5 years of imprisonment.
• Intent to profit or harm: Highest fines and up to 10 years of imprisonment.

Factors That Influence Penalties

• Nature and extent of the violation and resulting harm.
• Number of individuals affected and duration of noncompliance.
• Corrective actions taken, speed of response, and cooperation with investigators.
• Prior compliance history and the entity’s financial condition.
• Effectiveness of existing policies, training, and technical safeguards.

Compliance Best Practices

Governance and Risk Management

• Designate a privacy officer and a security officer with clear authority.
• Perform an enterprise-wide risk analysis and maintain a living risk management plan.
• Document decisions on “addressable” controls (e.g., encryption) and implement compensating safeguards where needed.

Policies, Training, and Minimum Necessary

• Maintain current policies for the Privacy, Security, and Breach Notification Rules.
• Train all workforce members upon hire and annually; track attendance and comprehension.
• Apply the minimum necessary standard to limit access, use, and disclosure.

Technical and Physical Safeguards

• Use unique IDs, role-based access, multi-factor authentication, and automatic logoff.
• Enable audit logs and regularly review access reports for inappropriate activity.
• Encrypt PHI in transit and at rest where feasible; secure devices and media with proper disposal procedures.

Third Parties and Data Handling

• Execute BAAs before any data sharing; assess vendor security and monitor performance.
• Use secure cloud configurations; validate that storage, backups, and logs are not publicly accessible.
• Limit exports of PHI; control and monitor API and bulk data access.

Incident Response and HIPAA Enforcement Readiness

• Maintain an incident response plan with defined roles, timelines, and legal review.
• Investigate, mitigate, and notify affected parties without unreasonable delay and within 60 days of discovery.
• Preserve documentation—risk analyses, training logs, BAAs, audit trails—to demonstrate due diligence during OCR reviews.

Conclusion

This HIPAA enforcement guide distinguishes negligence-driven civil violations from intent-driven criminal offenses. By understanding OCR’s role, DOJ’s thresholds, the Four-Tiered Penalty System, and the factors that shape outcomes, you can build controls that protect medical record privacy, prevent Unauthorized Disclosure, and withstand regulatory scrutiny.

FAQs

What distinguishes a criminal HIPAA violation from a civil one?

Intent. Civil violations stem from negligence or lack of reasonable safeguards, handled primarily by OCR. Criminal violations involve knowingly obtaining, using, or disclosing PHI in violation of HIPAA—especially under false pretenses or for profit or harm—and are prosecuted by the Department of Justice.

What types of penalties apply to civil HIPAA violations?

OCR applies the Four-Tiered Penalty System, with per-violation fines that escalate based on culpability and annual caps per violation type. Outcomes often include corrective action plans, independent monitoring, and documentation requirements in addition to monetary penalties.

How does the Department of Justice handle criminal HIPAA cases?

DOJ assesses evidence of knowing conduct and intent, often coordinating with OCR and other agencies. Prosecutors may bring HIPAA charges alongside related crimes like identity theft or fraud, seeking fines, restitution, and imprisonment proportionate to the offender’s intent and the harm caused.

What are common examples of accidental HIPAA breaches?

Misdirected emails or faxes, releasing records to the wrong patient, lost or stolen unencrypted devices, misconfigured cloud storage exposing PHI, conversations in public areas that reveal PHI beyond the minimum necessary, and family members accessing records without proper authorization.